I?m using OpenConnect to connect to junosphere topologies. This works great in 7.06, but I seem to have a repeatable segmentation fault in 7.07 I?m using one of my FreeBSD hosts here. I can repeat this behaviour on different hosts, FreeBSD 10 & 11. I also get what looks like the same failure with 7.07 on CentOS 6.7. Unfortunately, I can?t find a way to easily roll that back to 7.06 to confirm (I?m *BSD at heart). Let me know what information you need from me to investigate this further. This is what I see when using 7.07 ------ root at lucy:/usr/ports# uname -a FreeBSD lucy.flibble.org 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297538: Mon Apr 4 14:33:48 UTC 2016 root at lucy.flibble.org:/usr/obj/usr/src/sys/GENERIC amd64 root at lucy:/usr/ports/openconnect# openconnect -V OpenConnect version v7.07 Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP software token, TOTP software token, DTLS root at lucy:/usr/ports/openconnect# openconnect --juniper https://sa7r.junosphere.net/ WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. GET https://sa7r.junosphere.net/ Connected to 66.129.245.73:443 SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Certificate from VPN server "sa7r.junosphere.net" failed verification. Reason: unable to get local issuer certificate Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on sa7r.junosphere.net Got HTTP response: HTTP/1.1 302 Found GET https://sa7r.junosphere.net/dana-na/auth/url_default/welcome.cgi SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net frmLogin username:<removed> password: POST https://sa7r.junosphere.net/dana-na/auth/url_default/login.cgi SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net Got HTTP response: HTTP/1.1 302 Moved GET https://sa7r.junosphere.net/dana-na/auth/url_default/welcome.cgi?p=user-confirm&id=state_d92c3688663b4f88c055ef8afbc5dac7 SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net POST https://sa7r.junosphere.net/dana-na/auth/url_default/login.cgi SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net Got HTTP response: HTTP/1.1 302 Moved GET https://sa7r.junosphere.net/dana/home/starter0.cgi?check=yes SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net Segmentation fault (core dumped) ------ If I use portdowngrade to pull 7.06 from the ports tree svn repository and do a non-installed build of that then it works fine and I can access all my junosphere VMs over this. ------ root at lucy:/usr/ports/openconnect# work/openconnect-7.06/openconnect -V OpenConnect version v7.06-unknown Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP software token, TOTP software token, DTLS root at lucy:/usr/ports/openconnect# work/openconnect-7.06/openconnect --juniper https://sa7r.junosphere.net/ WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. GET https://sa7r.junosphere.net/ Attempting to connect to server 66.129.245.73:443 SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Certificate from VPN server "sa7r.junosphere.net" failed verification. Reason: unable to get local issuer certificate Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on sa7r.junosphere.net Got HTTP response: HTTP/1.1 302 Found GET https://sa7r.junosphere.net/dana-na/auth/url_default/welcome.cgi SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net frmLogin username:<removed> password: POST https://sa7r.junosphere.net/dana-na/auth/url_default/login.cgi SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net Got HTTP response: HTTP/1.1 302 Moved GET https://sa7r.junosphere.net/dana-na/auth/url_default/welcome.cgi?p=user-confirm&id=state_b09ee759faf08cb5cc8150af9a792ef3 SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net POST https://sa7r.junosphere.net/dana-na/auth/url_default/login.cgi SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net Got HTTP response: HTTP/1.1 302 Moved GET https://sa7r.junosphere.net/dana/home/starter0.cgi?check=yes SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net SSL negotiation with sa7r.junosphere.net Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on sa7r.junosphere.net add host 66.129.245.73: gateway 162.243.141.1 route: writing to routing socket: No such process delete net 10.233.244.6: gateway 10.233.244.6 fib 0: not in table add net 10.233.244.6: gateway 10.233.244.6 route: writing to routing socket: No such process delete net 10.233.240.0: gateway 10.233.244.6 fib 0: not in table add net 10.233.240.0: gateway 10.233.244.6 route: writing to routing socket: No such process delete net 8.8.8.8: gateway 10.233.244.6 fib 0: not in table add net 8.8.8.8: gateway 10.233.244.6 route: writing to routing socket: No such process delete net 10.233.255.254: gateway 10.233.244.6 fib 0: not in table add net 10.233.255.254: gateway 10.233.244.6 cp: /dev/null.bak: Operation not supported Connected tun0 as 10.233.244.6, using SSL ESP session established with server ------ CentOS details. I haven?t included the failure as it?s identical to the one on FreeBSD ------ [root at northstar ~]# uname -mrsv Linux 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 [root at northstar ~]# openconnect -V OpenConnect version v7.07 Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, DTLS ------ -- Tim Preston graywolfe at mac.com
